A July 10th story from the ABA Journal asked the questions in this post's title after consulting with various experts. Let me say first that what happened to DLA Piper might have happened to any law firm – and it can't be much bleaker than being the focal point of this story. While I may, in future, look at what we know and don't know about this attack as the dust settles, I realize that the questions asked by the ABA are of intense interest to all law firms.
Insurance experts indicated that cyberattack insurance could cover external support, loss of income and bringing computer systems back online. Firms can buy coverage of up to $500 million, though the norm for coverage that augments third-party liability in professional indemnity insurance is for up to $100 million. We don't know what DLA Piper has in place.
Professional indemnity insurance is designed to protect clients, and not a law firm's exposure to cyber risk according to the experts consulted. PI insurance typically covers loss of client money or data, but it doesn't cover costs of dealing with a cyberattack.
Total costs in connection with the cyberattack on DLA Piper could reach millions, according to Brett Warburton Smith, a partner at independent insurance broker Lockton Solicitors. Personally, I am quite sure that costs will reach millions.
We have seen companies that offers cyberattack insurance that covers access to data breach law firms, a public relations firm and loss of income. Coverage could also include mitigation expenses, such as the costs of working remotely and outsourcing urgent work. But without knowing what DLA Piper has in place, everyone is just guessing at possibilities.
DLA Piper shut down its computer systems as a precautionary measure after it detected suspicious activity on its network. E-mail is back up and the law firm is "bringing other major systems online in a secure manner as well," according to a July 10th update by the law firm. DLA Piper continues to see no evidence that client data was taken or that confidentiality was breached, the statement said.
The firm's most recent update may be found here.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology